Security

Cross-site scripting (also known as XSS) occurs when a web application
gathers malicious data from a user. Often attackers will inject JavaScript,
VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other
application users and gather data from them. For example, a poorly design
forum system may display user input in forum posts without any checking.
An attacker can then inject a piece of malicious JavaScript code into a post
so that when other users read this post, the JavaScript runs unexpectedly
on their computers.

One of the most important measures to prevent XSS attacks is to check user input
before displaying them. One can do HTML-encoding with the user input to achieve
this goal. However, in some situations, HTML-encoding may not be preferable
because it disables all HTML tags.

Yii incorporates the work of HTMLPurifier
and provides developers with a useful component called CHtmlPurifier
that encapsulates HTMLPurifier. This component
is capable of removing all malicious code with a thoroughly audited,
secure yet permissive whitelist and making sure the filtered content is
standard-compliant.

Cross-Site Request Forgery (CSRF) attacks occur when a
malicious web site causes a user's web browser to perform
an unwanted action on a trusted site. For example, a malicious
web site has a page that contains an image tag whose src points
to a banking site: http://bank.example/withdraw?transfer=10000&to=someone.
If a user who has a login cookie for the banking site happens to
visit this malicous page, the action of transferring 10000 dollars
to someone will be executed. Contrary to cross-site,
which exploits the trust a user has for a particular site,
CSRF exploits the trust that a site has for a particular user.

To prevent CSRF attacks, it is important to abide to the rule
that GET requests should only be allowed to retrieve data rather
than modify any data on the server. And for POST requests, they
should include some random value which can be recognized by the server
to ensure the form is submitted from and the result is sent back to
the same origin.

Yii implements a CSRF prevention scheme to help defeat POST-based attacks.
It is based on storing a random value in a cookie and comparing this value
with the value submitted via the POST request.

And to display a form, call CHtml::form instead of writing the HTML form
tag directly. The CHtml::form method will embed the necessary random
value in a hidden field so that it can be submitted for CSRF validation.

Protecting cookies from being attacked is of extreme importance, as session
IDs are commonly stored in cookies. If one gets hold of a session ID,
he essentially owns all relevant session information.

There are several countermeasures to prevent cookies from being attacked.

An application can use SSL to create a secure communication channel and
only pass the authentication cookie over an HTTPS connection. Attackers
are thus unable to decipher the contents in the transferred cookies.

Expire sessions appropriately, including all cookies and session tokens,
to reduce the likelihood of being attacked.

Prevent cross-site scripting which causes arbitrary code to run in a
user's browser and expose his cookies.

Validate cookie data and detect if they are altered.

Yii implements a cookie validation scheme that prevents cookies from being
modified. In particular, it does HMAC check for the cookie values if cookie
validation is enable.